Skip to content

Commit

Permalink
Trying to get a verifiable client engaged
Browse files Browse the repository at this point in the history
  • Loading branch information
@ajs6f
ajs6f committed May 22, 2013
1 parent 51bac90 commit 80d3004
Show file tree
Hide file tree
Showing 2 changed files with 73 additions and 9 deletions.
3 changes: 3 additions & 0 deletions fcrepo-webapp/src/main/resources/logback.xml
View file
Expand Up @@ -21,6 +21,9 @@
<logger name="org.infinispan" additivity="false" level="WARN">
<appender-ref ref="STDOUT"/>
</logger>
<logger name="org.jgroups" additivity="false" level="WARN">
<appender-ref ref="STDOUT"/>
</logger>
<root additivity="false" level="INFO">
<appender-ref ref="STDOUT"/>
</root>
Expand Down
79 changes: 70 additions & 9 deletions fcrepo-webapp/src/main/resources/spring/security.xml
View file
Expand Up @@ -2,28 +2,48 @@
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">

<http entry-point-ref="oauthAuthenticationEntryPoint"

<http pattern="/oauth/token" create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>
<anonymous enabled="true"/>
<http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
</http>

<http pattern="/rest/**" entry-point-ref="oauthAuthenticationEntryPoint"
create-session="never"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false"/>
<intercept-url pattern="/rest/objects/test:oauth" access="ROLE_USER"/>
<custom-filter ref="oauthFilter" before="PRE_AUTH_FILTER"/>
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER"/>
</http>

<http disable-url-rewriting="true"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/**" access="ROLE_USER"/>
<intercept-url pattern="/**"
access="IS_AUTHENTICATED_ANONYMOUSLY,IS_AUTHENTICATED_FULLY"/>
<http-basic/>
<logout/>
<anonymous/>
</http>

<oauth:resource-server id="oauthFilter"/>
<oauth:resource-server id="resourceServerFilter" resource-id="fedora"
token-services-ref="tokenServices"/>

<bean id="oauthAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="fedora"/>
</bean>



<authentication-manager alias="authenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider>
Expand All @@ -33,8 +53,8 @@
</authentication-provider>
</authentication-manager>

<!-- apparently the following stuff has to do with authenticating the identity of
OAuth clients for Fedora (as opposed to users) -->
<!-- the following stuff has to do with authenticating the identity of
OAuth clients for Fedora (as opposed to users?) -->

<bean id="clientAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
Expand All @@ -54,12 +74,53 @@

<client-details-service id="clientDetails"
xmlns="http://www.springframework.org/schema/security/oauth2">
<client client-id="ajs6f" authorized-grant-types="authorization_code"/>
<client client-id="fedora"
authorized-grant-types="password, refresh_token, implicit, client_credentials, authorization_code, web_server"
authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT"/>
</client-details-service>

<!-- other -->
<authorization-server client-details-service-ref="clientDetails"
token-services-ref="tokenServices"
xmlns="http://www.springframework.org/schema/security/oauth2">
<authorization-code/>
<implicit/>
<refresh-token/>
<client-credentials/>
<password/>
</authorization-server>

<!--define an oauth 2 resource for Fedora's trusted client on Fedora -->
<oauth:resource id="trusted" client-id="fedora"
access-token-uri="http://localhost:8080/rest/oauth/token"/>


<!-- the following two elements support token minting, in some way... -->

<bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore"/>

<bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore"/>
<property name="supportRefreshToken" value="true"/>
<property name="clientDetailsService" ref="clientDetails"/>
<property name="accessTokenValiditySeconds" value="0"/>
</bean>

<!-- seems to control a 401 page of some kind, or perhaps a 403 page? -->
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>

<!-- the following two elements appear to involve the interpretation of Spring EL expressions that indicate
which resources are to be guarded...? -->
<global-method-security pre-post-annotations="enabled"
proxy-target-class="true"
xmlns="http://www.springframework.org/schema/security">
<!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
<expression-handler ref="oauthExpressionHandler"/>
</global-method-security>
<oauth:expression-handler id="oauthExpressionHandler"/>



</beans>

0 comments on commit 80d3004

Please sign in to comment.